diff options
author | Maurício Meneghini Fauth <mauricio@fauth.dev> | 2021-09-01 18:52:59 +0300 |
---|---|---|
committer | Maurício Meneghini Fauth <mauricio@fauth.dev> | 2021-09-01 18:52:59 +0300 |
commit | e5e7bd2f95911b92ebdf1a7e357a4477f360e891 (patch) | |
tree | eae5a597e039307bd47b4eac165a036dbff2981d | |
parent | 4c6061a04ec94ab9eb89040db8495fa3555e534b (diff) |
Access POST params from the ServerRequest class
Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
-rw-r--r-- | libraries/classes/Controllers/ExportController.php | 77 | ||||
-rw-r--r-- | libraries/classes/Controllers/ExportTemplateController.php | 39 | ||||
-rw-r--r-- | libraries/classes/Controllers/GisDataEditorController.php | 48 | ||||
-rw-r--r-- | libraries/routes.php | 2 | ||||
-rw-r--r-- | psalm-baseline.xml | 44 | ||||
-rw-r--r-- | templates/gis_data_editor_form.twig | 2 | ||||
-rw-r--r-- | test/classes/Controllers/ExportTemplateControllerTest.php | 36 |
7 files changed, 131 insertions, 117 deletions
diff --git a/libraries/classes/Controllers/ExportController.php b/libraries/classes/Controllers/ExportController.php index 405c5b522a..25f2f1be62 100644 --- a/libraries/classes/Controllers/ExportController.php +++ b/libraries/classes/Controllers/ExportController.php @@ -9,6 +9,7 @@ use PhpMyAdmin\Core; use PhpMyAdmin\Encoding; use PhpMyAdmin\Exceptions\ExportException; use PhpMyAdmin\Export; +use PhpMyAdmin\Http\ServerRequest; use PhpMyAdmin\Message; use PhpMyAdmin\Plugins; use PhpMyAdmin\Plugins\ExportPlugin; @@ -55,7 +56,7 @@ final class ExportController extends AbstractController $this->relation = $relation; } - public function index(): void + public function __invoke(ServerRequest $request): void { global $containerBuilder, $db, $export_type, $filename_template, $sql_query, $errorUrl, $message; global $compression, $crlf, $asfile, $buffer_needed, $save_on_server, $file_handle, $separate_files; @@ -66,6 +67,28 @@ final class ExportController extends AbstractController global $active_page, $do_relation, $do_comments, $do_mime, $do_dates, $whatStrucOrData, $db_select; global $table_structure, $table_data, $lock_tables, $allrows, $limit_to, $limit_from; + /** @var array<string, string> $postParams */ + $postParams = $request->getParsedBody(); + + /** @var string $whatParam */ + $whatParam = $request->getParsedBodyParam('what', ''); + /** @var string|null $quickOrCustom */ + $quickOrCustom = $request->getParsedBodyParam('quick_or_custom'); + /** @var string|null $outputFormat */ + $outputFormat = $request->getParsedBodyParam('output_format'); + /** @var string $compressionParam */ + $compressionParam = $request->getParsedBodyParam('compression', ''); + /** @var string|null $asSeparateFiles */ + $asSeparateFiles = $request->getParsedBodyParam('as_separate_files'); + /** @var string|null $quickExportOnServer */ + $quickExportOnServer = $request->getParsedBodyParam('quick_export_onserver'); + /** @var string|null $onServerParam */ + $onServerParam = $request->getParsedBodyParam('onserver'); + /** @var array|null $aliasesParam */ + $aliasesParam = $request->getParsedBodyParam('aliases'); + /** @var string|null $structureOrDataForced */ + $structureOrDataForced = $request->getParsedBodyParam('structure_or_data_forced'); + $this->addScriptFiles(['export_output.js']); /** @@ -77,7 +100,7 @@ final class ExportController extends AbstractController * TODO: this should be removed to avoid passing user input to GLOBALS * without checking */ - $post_params = [ + $allowedPostParams = [ 'db', 'table', 'what', @@ -198,18 +221,18 @@ final class ExportController extends AbstractController 'aliases', ]; - foreach ($post_params as $one_post_param) { - if (! isset($_POST[$one_post_param])) { + foreach ($allowedPostParams as $param) { + if (! isset($postParams[$param])) { continue; } - $GLOBALS[$one_post_param] = $_POST[$one_post_param]; + $GLOBALS[$param] = $postParams[$param]; } Util::checkParameters(['what', 'export_type']); // sanitize this parameter which will be used below in a file inclusion - $what = Core::securePath($_POST['what']); + $what = Core::securePath($whatParam); // export class instance, not array of properties, as before /** @var ExportPlugin $export_plugin */ @@ -251,45 +274,33 @@ final class ExportController extends AbstractController $separate_files = ''; // Is it a quick or custom export? - if ( - isset($_POST['quick_or_custom']) - && $_POST['quick_or_custom'] === 'quick' - ) { + if ($quickOrCustom === 'quick') { $quick_export = true; } else { $quick_export = false; } - if (isset($_POST['output_format']) && $_POST['output_format'] === 'astext') { + if ($outputFormat === 'astext') { $asfile = false; } else { $asfile = true; - $selectedCompression = $_POST['compression'] ?? ''; - if ( - isset($_POST['as_separate_files']) - && ! empty($_POST['as_separate_files']) - ) { - if ( - ! empty($selectedCompression) - && $selectedCompression === 'zip' - ) { - $separate_files = $_POST['as_separate_files']; - } + if ($asSeparateFiles && $compressionParam === 'zip') { + $separate_files = $asSeparateFiles; } - if (in_array($selectedCompression, $compression_methods)) { - $compression = $selectedCompression; + if (in_array($compressionParam, $compression_methods)) { + $compression = $compressionParam; $buffer_needed = true; } if ( - ($quick_export && ! empty($_POST['quick_export_onserver'])) - || (! $quick_export && ! empty($_POST['onserver'])) + ($quick_export && ! empty($quickExportOnServer)) + || (! $quick_export && ! empty($onServerParam)) ) { if ($quick_export) { - $onserver = $_POST['quick_export_onserver']; + $onserver = $quickExportOnServer; } else { - $onserver = $_POST['onserver']; + $onserver = $onServerParam; } // Will we save dump on server? @@ -301,7 +312,7 @@ final class ExportController extends AbstractController * If we are sending the export file (as opposed to just displaying it * as text), we have to bypass the usual PhpMyAdmin\Response mechanism */ - if (isset($_POST['output_format']) && $_POST['output_format'] === 'sendit' && ! $save_on_server) { + if ($outputFormat === 'sendit' && ! $save_on_server) { $this->response->disable(); //Disable all active buffers (see: ob_get_status(true) at this point) do { @@ -348,9 +359,9 @@ final class ExportController extends AbstractController $aliases = Misc::getAliases($parser->statements[0], $db); } - if (! empty($_POST['aliases'])) { - $aliases = $this->export->mergeAliases($aliases, $_POST['aliases']); - $_SESSION['tmpval']['aliases'] = $_POST['aliases']; + if (! empty($aliasesParam)) { + $aliases = $this->export->mergeAliases($aliases, $aliasesParam); + $_SESSION['tmpval']['aliases'] = $aliasesParam; } /** @@ -531,7 +542,7 @@ final class ExportController extends AbstractController $table_data = []; } - if (! empty($_POST['structure_or_data_forced'])) { + if ($structureOrDataForced) { $table_structure = $tables; $table_data = $tables; } diff --git a/libraries/classes/Controllers/ExportTemplateController.php b/libraries/classes/Controllers/ExportTemplateController.php index 45bb9e21ab..3764c0fd40 100644 --- a/libraries/classes/Controllers/ExportTemplateController.php +++ b/libraries/classes/Controllers/ExportTemplateController.php @@ -6,6 +6,7 @@ namespace PhpMyAdmin\Controllers; use PhpMyAdmin\Export\Template as ExportTemplate; use PhpMyAdmin\Export\TemplateModel; +use PhpMyAdmin\Http\ServerRequest; use PhpMyAdmin\Relation; use PhpMyAdmin\ResponseRenderer; use PhpMyAdmin\Template; @@ -35,10 +36,19 @@ final class ExportTemplateController extends AbstractController $this->relation = $relation; } - public function create(): void + public function create(ServerRequest $request): void { global $cfg; + /** @var string $exportType */ + $exportType = $request->getParsedBodyParam('exportType', ''); + /** @var string $templateName */ + $templateName = $request->getParsedBodyParam('templateName', ''); + /** @var string $templateData */ + $templateData = $request->getParsedBodyParam('templateData', ''); + /** @var string|null $templateId */ + $templateId = $request->getParsedBodyParam('template_id'); + $cfgRelation = $this->relation->getRelationsParam(); if (! $cfgRelation['exporttemplateswork']) { @@ -47,9 +57,9 @@ final class ExportTemplateController extends AbstractController $template = ExportTemplate::fromArray([ 'username' => $cfg['Server']['user'], - 'exportType' => $_POST['exportType'] ?? '', - 'name' => $_POST['templateName'] ?? '', - 'data' => $_POST['templateData'] ?? '', + 'exportType' => $exportType, + 'name' => $templateName, + 'data' => $templateData, ]); $result = $this->model->create($cfgRelation['db'], $cfgRelation['export_templates'], $template); @@ -72,15 +82,16 @@ final class ExportTemplateController extends AbstractController 'data', $this->template->render('export/template_options', [ 'templates' => is_array($templates) ? $templates : [], - 'selected_template' => $_POST['template_id'] ?? null, + 'selected_template' => $templateId, ]) ); } - public function delete(): void + public function delete(ServerRequest $request): void { global $cfg; + $templateId = (int) $request->getParsedBodyParam('templateId'); $cfgRelation = $this->relation->getRelationsParam(); if (! $cfgRelation['exporttemplateswork']) { @@ -91,7 +102,7 @@ final class ExportTemplateController extends AbstractController $cfgRelation['db'], $cfgRelation['export_templates'], $cfg['Server']['user'], - (int) $_POST['templateId'] + $templateId ); if (is_string($result)) { @@ -104,10 +115,11 @@ final class ExportTemplateController extends AbstractController $this->response->setRequestStatus(true); } - public function load(): void + public function load(ServerRequest $request): void { global $cfg; + $templateId = (int) $request->getParsedBodyParam('templateId'); $cfgRelation = $this->relation->getRelationsParam(); if (! $cfgRelation['exporttemplateswork']) { @@ -118,7 +130,7 @@ final class ExportTemplateController extends AbstractController $cfgRelation['db'], $cfgRelation['export_templates'], $cfg['Server']['user'], - (int) $_POST['templateId'] + $templateId ); if (! $template instanceof ExportTemplate) { @@ -132,10 +144,13 @@ final class ExportTemplateController extends AbstractController $this->response->addJSON('data', $template->getData()); } - public function update(): void + public function update(ServerRequest $request): void { global $cfg; + $templateId = (int) $request->getParsedBodyParam('templateId'); + /** @var string $templateData */ + $templateData = $request->getParsedBodyParam('templateData', ''); $cfgRelation = $this->relation->getRelationsParam(); if (! $cfgRelation['exporttemplateswork']) { @@ -143,9 +158,9 @@ final class ExportTemplateController extends AbstractController } $template = ExportTemplate::fromArray([ - 'id' => (int) $_POST['templateId'], + 'id' => $templateId, 'username' => $cfg['Server']['user'], - 'data' => $_POST['templateData'], + 'data' => $templateData, ]); $result = $this->model->update($cfgRelation['db'], $cfgRelation['export_templates'], $template); diff --git a/libraries/classes/Controllers/GisDataEditorController.php b/libraries/classes/Controllers/GisDataEditorController.php index 5ee78c368a..62898731e4 100644 --- a/libraries/classes/Controllers/GisDataEditorController.php +++ b/libraries/classes/Controllers/GisDataEditorController.php @@ -7,13 +7,14 @@ declare(strict_types=1); namespace PhpMyAdmin\Controllers; -use PhpMyAdmin\Core; use PhpMyAdmin\Gis\GisFactory; use PhpMyAdmin\Gis\GisVisualization; +use PhpMyAdmin\Http\ServerRequest; use function array_merge; use function in_array; use function intval; +use function is_array; use function mb_strpos; use function mb_strtoupper; use function mb_substr; @@ -25,19 +26,32 @@ use function trim; */ class GisDataEditorController extends AbstractController { - public function __invoke(): void + public function __invoke(ServerRequest $request): void { global $gis_data, $gis_types, $start, $geom_type, $gis_obj, $srid, $wkt, $wkt_with_zero; global $result, $visualizationSettings, $data, $visualization, $open_layers, $geom_count, $dbi; - if (! isset($_POST['field'])) { + /** @var string|null $field */ + $field = $request->getParsedBodyParam('field'); + /** @var array|null $gisDataParam */ + $gisDataParam = $request->getParsedBodyParam('gis_data'); + /** @var string $type */ + $type = $request->getParsedBodyParam('type', ''); + /** @var string|null $value */ + $value = $request->getParsedBodyParam('value'); + /** @var string|null $generate */ + $generate = $request->getParsedBodyParam('generate'); + /** @var string|null $inputName */ + $inputName = $request->getParsedBodyParam('input_name'); + + if (! isset($field)) { return; } // Get data if any posted $gis_data = []; - if (Core::isValid($_POST['gis_data'], 'array')) { - $gis_data = $_POST['gis_data']; + if (is_array($gisDataParam)) { + $gis_data = $gisDataParam; } $gis_types = [ @@ -53,17 +67,13 @@ class GisDataEditorController extends AbstractController // Extract type from the initial call and make sure that it's a valid one. // Extract from field's values if available, if not use the column type passed. if (! isset($gis_data['gis_type'])) { - if (isset($_POST['type']) && $_POST['type'] != '') { - $gis_data['gis_type'] = mb_strtoupper($_POST['type']); + if ($type !== '') { + $gis_data['gis_type'] = mb_strtoupper($type); } - if (isset($_POST['value']) && trim($_POST['value']) != '') { - $start = substr($_POST['value'], 0, 1) == "'" ? 1 : 0; - $gis_data['gis_type'] = mb_substr( - $_POST['value'], - $start, - mb_strpos($_POST['value'], '(') - $start - ); + if (isset($value) && trim($value) !== '') { + $start = substr($value, 0, 1) == "'" ? 1 : 0; + $gis_data['gis_type'] = mb_substr($value, $start, (int) mb_strpos($value, '(') - $start); } if ( @@ -82,10 +92,10 @@ class GisDataEditorController extends AbstractController return; } - if (isset($_POST['value'])) { + if (isset($value)) { $gis_data = array_merge( $gis_data, - $gis_obj->generateParams($_POST['value']) + $gis_obj->generateParams($value) ); } @@ -116,7 +126,7 @@ class GisDataEditorController extends AbstractController ->asOl(); // If the call is to update the WKT and visualization make an AJAX response - if (isset($_POST['generate']) && $_POST['generate'] == true) { + if ($generate) { $this->response->addJSON([ 'result' => $result, 'visualization' => $visualization, @@ -138,8 +148,8 @@ class GisDataEditorController extends AbstractController $templateOutput = $this->template->render('gis_data_editor_form', [ 'width' => $visualizationSettings['width'], 'height' => $visualizationSettings['height'], - 'field' => $_POST['field'], - 'input_name' => $_POST['input_name'], + 'field' => $field, + 'input_name' => $inputName, 'srid' => $srid, 'visualization' => $visualization, 'open_layers' => $open_layers, diff --git a/libraries/routes.php b/libraries/routes.php index a3b61db272..1e1ac5ea27 100644 --- a/libraries/routes.php +++ b/libraries/routes.php @@ -184,7 +184,7 @@ return static function (RouteCollector $routes): void { $routes->post('/databases', DatabaseController::class); $routes->addRoute(['GET', 'POST'], '/error-report', ErrorReportController::class); $routes->addGroup('/export', static function (RouteCollector $routes): void { - $routes->addRoute(['GET', 'POST'], '', [ExportController::class, 'index']); + $routes->addRoute(['GET', 'POST'], '', ExportController::class); $routes->get('/check-time-out', [ExportController::class, 'checkTimeOut']); $routes->post('/tables', [DatabaseExportController::class, 'tables']); $routes->addGroup('/template', static function (RouteCollector $routes): void { diff --git a/psalm-baseline.xml b/psalm-baseline.xml index 318fae1316..e88faca215 100644 --- a/psalm-baseline.xml +++ b/psalm-baseline.xml @@ -1861,16 +1861,10 @@ <code>$whatStrucOrData</code> <code>$whatStrucOrData</code> </InvalidArgument> - <MixedArgument occurrences="55"> - <code>$_POST['aliases']</code> - <code>$_POST['what']</code> + <MixedArgument occurrences="46"> <code>$allrows</code> <code>$allrows</code> <code>$cfg['MemoryLimit']</code> - <code>$compression</code> - <code>$compression</code> - <code>$compression</code> - <code>$compression</code> <code>$db</code> <code>$db</code> <code>$db</code> @@ -1895,9 +1889,6 @@ <code>$limit_to</code> <code>$remember_template</code> <code>$save_filename</code> - <code>$separate_files</code> - <code>$separate_files</code> - <code>$separate_files</code> <code>$sql_query</code> <code>$sql_query</code> <code>$sql_query</code> @@ -1921,14 +1912,7 @@ <MixedArrayAssignment occurrences="1"> <code>$_SESSION['tmpval']['aliases']</code> </MixedArrayAssignment> - <MixedAssignment occurrences="10"> - <code>$GLOBALS[$one_post_param]</code> - <code>$_SESSION['tmpval']['aliases']</code> - <code>$compression</code> - <code>$onserver</code> - <code>$onserver</code> - <code>$selectedCompression</code> - <code>$separate_files</code> + <MixedAssignment occurrences="3"> <code>$table_data</code> <code>$table_structure</code> <code>$tables</code> @@ -1946,32 +1930,12 @@ </PossiblyInvalidCast> </file> <file src="libraries/classes/Controllers/GisDataEditorController.php"> - <MixedArgument occurrences="9"> - <code>$_POST['type']</code> - <code>$_POST['value']</code> - <code>$_POST['value']</code> - <code>$_POST['value']</code> - <code>$_POST['value']</code> - <code>$_POST['value']</code> + <MixedArgument occurrences="1"> <code>$geom_type</code> - <code>$gis_data</code> - <code>$gis_data</code> </MixedArgument> - <MixedArrayAccess occurrences="1"> - <code>$gis_data['gis_type']</code> - </MixedArrayAccess> - <MixedArrayAssignment occurrences="3"> - <code>$gis_data['gis_type']</code> - <code>$gis_data['gis_type']</code> - <code>$gis_data['gis_type']</code> - </MixedArrayAssignment> - <MixedAssignment occurrences="2"> + <MixedAssignment occurrences="1"> <code>$geom_type</code> - <code>$gis_data</code> </MixedAssignment> - <PossiblyFalseOperand occurrences="1"> - <code>mb_strpos($_POST['value'], '(')</code> - </PossiblyFalseOperand> </file> <file src="libraries/classes/Controllers/HomeController.php"> <MixedArgument occurrences="7"> diff --git a/templates/gis_data_editor_form.twig b/templates/gis_data_editor_form.twig index 89d629f95e..e49748d691 100644 --- a/templates/gis_data_editor_form.twig +++ b/templates/gis_data_editor_form.twig @@ -22,7 +22,7 @@ <label for="choice">{% trans "Use OpenStreetMaps as Base Layer" %}</label> </div> - <script language="javascript" type="text/javascript">{{ open_layers|raw }}</script> + <script type="text/javascript">{{ open_layers|raw }}</script> {# End of visualization section #} {# Header section - Inclueds GIS type selector and input field for SRID #} diff --git a/test/classes/Controllers/ExportTemplateControllerTest.php b/test/classes/Controllers/ExportTemplateControllerTest.php index 8ba5e00b6f..16966ff2a9 100644 --- a/test/classes/Controllers/ExportTemplateControllerTest.php +++ b/test/classes/Controllers/ExportTemplateControllerTest.php @@ -7,6 +7,7 @@ namespace PhpMyAdmin\Tests\Controllers; use PhpMyAdmin\Controllers\ExportTemplateController; use PhpMyAdmin\Export\Template as ExportTemplate; use PhpMyAdmin\Export\TemplateModel; +use PhpMyAdmin\Http\ServerRequest; use PhpMyAdmin\Relation; use PhpMyAdmin\Template; use PhpMyAdmin\Tests\AbstractTestCase; @@ -62,11 +63,16 @@ class ExportTemplateControllerTest extends AbstractTestCase global $cfg; $cfg['Server']['user'] = 'user'; - $_POST['exportType'] = 'type'; - $_POST['templateName'] = 'name'; - $_POST['templateData'] = 'data'; - $this->controller->create(); + $request = $this->createStub(ServerRequest::class); + $request->method('getParsedBodyParam')->willReturnMap([ + ['exportType', '', 'type'], + ['templateName', '', 'name'], + ['templateData', '', 'data'], + ['template_id', null, null], + ]); + + $this->controller->create($request); $templates = [ ExportTemplate::fromArray([ @@ -99,9 +105,11 @@ class ExportTemplateControllerTest extends AbstractTestCase global $cfg; $cfg['Server']['user'] = 'user'; - $_POST['templateId'] = '1'; - $this->controller->delete(); + $request = $this->createStub(ServerRequest::class); + $request->method('getParsedBodyParam')->willReturn('1'); + + $this->controller->delete($request); $this->assertTrue($this->response->hasSuccessState()); } @@ -111,9 +119,11 @@ class ExportTemplateControllerTest extends AbstractTestCase global $cfg; $cfg['Server']['user'] = 'user'; - $_POST['templateId'] = '1'; - $this->controller->load(); + $request = $this->createStub(ServerRequest::class); + $request->method('getParsedBodyParam')->willReturn('1'); + + $this->controller->load($request); $this->assertTrue($this->response->hasSuccessState()); $this->assertEquals(['data' => 'data1'], $this->response->getJSONResult()); @@ -124,10 +134,14 @@ class ExportTemplateControllerTest extends AbstractTestCase global $cfg; $cfg['Server']['user'] = 'user'; - $_POST['templateId'] = '1'; - $_POST['templateData'] = 'data'; - $this->controller->update(); + $request = $this->createStub(ServerRequest::class); + $request->method('getParsedBodyParam')->willReturnMap([ + ['templateId', null, '1'], + ['templateData', '', 'data'], + ]); + + $this->controller->update($request); $this->assertTrue($this->response->hasSuccessState()); } |